-
Notifications
You must be signed in to change notification settings - Fork 904
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dnsdist doh [DO NOT MERGE] #6911
Conversation
I had to upgrade to bionic (from trusty) to get libh2o-evloop and also had to specify
The full configure line I used was |
What does |
config.log: $ cat /usr/lib/x86_64-linux-gnu/pkgconfig/libh2o-evloop.pc Name: libh2o-evloop |
Signed-off-by: Frank Denis <github@pureftpd.org>
c631ea0
to
f5c2664
Compare
uint16_t qtype, qclass; | ||
unsigned int consumed = 0; | ||
DNSName qname(query, len, sizeof(dnsheader), false, &qtype, &qclass, &consumed); | ||
DNSQuestion dq(&qname, qtype, qclass, consumed, &du->dest, &du->remote, dh, 1500, len, false, &queryRealTime); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The 1500
here is wrong, it pretends that there is at least 1500 bytes available from the address pointed to by dh
, which is not true. Rules and handleEDNSClientSubnet()
will very likely trigger an heap-based out-of-bounds write.
uint32_t allowExpired = ss ? 0 : g_staleCacheEntriesTTL; | ||
boost::optional<Netmask> subnet; | ||
char cquery[1500]; | ||
memcpy(cquery, query, du->query.length()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think you need to copy the query here, unless I missing something, since either it will be overwritten by the cached response on a hit, or we won't use cquery
again before leaving this block.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also did not check whether the query could be larger than 1500 bytes, which would trigger a stack-based out-of-bounds write.
vector<uint8_t> stripped; | ||
rewriteResponseWithoutEDNS(du->query, stripped); | ||
du->query.assign((const char*)&stripped[0], stripped.size()); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The case of an incoming query with EDNS
but without ECS
is not handled here.
…nsdist processing
3cb8b42
to
8457dbe
Compare
Unless I'm mistaken, we always send the request received over DoH to the backend over UDP, advertising an EDNS Payload Size of 4096 (unless there was an existing EDNS OPT RR). Doesn't that mean that we will never be able to handle responses larger than 4096 bytes over DoH? |
Starting dnsdist one way results in an error, while another way it works fine. The error message itself should be more specific. |
@MaxWichern It should have been fixed by 9bad969, is that not the case? |
That was the initial thought, but it didn't. |
When #7676 gets merged, we need to extend that code to reload h2o certs as well. |
Superseded by #7726. |
Short description
This PR adds DNS over HTTPS support to dnsdist, based on libh2o.
Checklist
I have: